mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Fix NONE policy validation and 'routeback' for wildcard interfaces
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e147813da0
commit
80981e802e
@ -33,3 +33,8 @@ Changes since 1.4.7
|
|||||||
|
|
||||||
14) Corrected handling of /32 addresses with broadcast in maclist
|
14) Corrected handling of /32 addresses with broadcast in maclist
|
||||||
processing.
|
processing.
|
||||||
|
|
||||||
|
15) Generate error for NONE policy where source or destination zone is
|
||||||
|
the firewall itself.
|
||||||
|
|
||||||
|
16) Fix 'routeback' for wildcard interfaces.
|
@ -636,11 +636,11 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
all_interfaces="$all_interfaces $interface"
|
all_interfaces="$all_interfaces $interface"
|
||||||
options=`separate_list $options`
|
options=`separate_list $options`
|
||||||
interface=`chain_base $interface`
|
iface=`chain_base $interface`
|
||||||
|
|
||||||
eval ${interface}_broadcast="$subnet"
|
eval ${iface}_broadcast="$subnet"
|
||||||
eval ${interface}_zone="$z"
|
eval ${iface}_zone="$z"
|
||||||
eval ${interface}_options=\"$options\"
|
eval ${iface}_options=\"$options\"
|
||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
@ -763,7 +763,14 @@ validate_policy()
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
case $policy in
|
case $policy in
|
||||||
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
ACCEPT|REJECT|DROP|CONTINUE)
|
||||||
|
;;
|
||||||
|
NONE)
|
||||||
|
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||||
|
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
|
||||||
|
|
||||||
|
[ -n "$clientwild" -o -n "$serverwild" ] && \
|
||||||
|
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
startup_error "Invalid policy $policy"
|
startup_error "Invalid policy $policy"
|
||||||
@ -781,8 +788,6 @@ validate_policy()
|
|||||||
|
|
||||||
[ "x$loglevel" = "x-" ] && loglevel=
|
[ "x$loglevel" = "x-" ] && loglevel=
|
||||||
|
|
||||||
chain=${client}2${server}
|
|
||||||
|
|
||||||
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||||
|
|
||||||
eval ${chain}_is_policy=Yes
|
eval ${chain}_is_policy=Yes
|
||||||
|
@ -43,7 +43,9 @@
|
|||||||
# with this SOURCE and DEST in the
|
# with this SOURCE and DEST in the
|
||||||
# /etc/shorewall/rules file. If such a
|
# /etc/shorewall/rules file. If such a
|
||||||
# packet _is_ received, the result is
|
# packet _is_ received, the result is
|
||||||
# undefined.
|
# undefined. NONE may not be used if the
|
||||||
|
# SOURCE or DEST columns contain the
|
||||||
|
# firewall zone ($FW) or "all".
|
||||||
#
|
#
|
||||||
# LOG LEVEL If supplied, each connection handled under the default
|
# LOG LEVEL If supplied, each connection handled under the default
|
||||||
# POLICY is logged at that level. If not supplied, no
|
# POLICY is logged at that level. If not supplied, no
|
||||||
|
@ -59,6 +59,17 @@ Problems Corrected since version 1.4.7:
|
|||||||
address with a broadcast address then an error would occur during
|
address with a broadcast address then an error would occur during
|
||||||
startup.
|
startup.
|
||||||
|
|
||||||
|
11) The NONE policy's intended use is to suppress the generating of
|
||||||
|
rules that can't possibly be traversed. This means that a policy of
|
||||||
|
NONE is inappropriate where the source or destination zone is
|
||||||
|
$FW. Shorewall now generates an error message if such a policy is
|
||||||
|
given in /etc/shorewall/policy. Previously such a policy caused
|
||||||
|
"shorewall start" to fail.
|
||||||
|
|
||||||
|
12) The 'routeback' option was broken for wildcard interfaces (e.g.,
|
||||||
|
"tun+"). This has been corrected so that 'routeback' now works as
|
||||||
|
expected in this case.
|
||||||
|
|
||||||
Migration Issues:
|
Migration Issues:
|
||||||
|
|
||||||
1. The definition of the ROUTE_FILTER option in shorewall.conf has
|
1. The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||||
|
Loading…
x
Reference in New Issue
Block a user